Sourcefire VRT Rules Update

Date: 2011-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

sid - Message (rule group, priority)

New rules:
18266 <-> NETBIOS DCERPC NCADG-IP-UDP rpcss2_RemoteGetClassObject attempt (netbios.rules, Low)
18267 <-> NETBIOS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt (netbios.rules, Low)
18268 <-> BLACKLIST DNS request for known malware domain 35free.net (blacklist.rules, High)
18269 <-> BLACKLIST DNS request for known malware domain dnf.6bom.com (blacklist.rules, High)
18270 <-> BLACKLIST DNS request for known malware domain koonol.com (blacklist.rules, High)
18271 <-> BLACKLIST DNS request for known malware domain move.su (blacklist.rules, High)
18272 <-> BLACKLIST DNS request for known malware domain www.886.com (blacklist.rules, High)

Updated rules:
3397 <-> NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (netbios.rules, Low)
3398 <-> NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (netbios.rules, Low)
8057 <-> MYSQL Date_Format denial of service attempt (mysql.rules, Medium)
9430 <-> WEB-CLIENT Quicktime Movie link file URI security bypass attempt (web-client.rules, High)
13990 <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules, Medium)
15186 <-> MISC Multiple vendors CUPS HPGL filter remote code execution attempt (misc.rules, High)
15187 <-> DELETED MISC Multiple vendors CUPS HPGL filter remote code execution attempt (deleted.rules, High)
15189 <-> DELETED MISC Multiple vendors CUPS HPGL filter remote code execution attempt (deleted.rules, High)
15512 <-> NETBIOS DCERPC NCACN-IP-TCP rpcss2_RemoteGetClassObject attempt (netbios.rules, Low)
15513 <-> NETBIOS DCERPC NCADG-IP-UDP rpcss2_RemoteGetClassObject attempt (netbios.rules, Low)
16038 <-> SMTP Mozilla Thunderbird WYSIWYG engine filtering IFRAME JavaScript execution attempt (smtp.rules, High)
17290 <-> DELETED WEB-CLIENT Quicktime Plug-In Security Bypass (deleted.rules, High)